Still getting some of those GDPR emails? Same here. As boring as it could sound, we are talking about an important new privacy regulation that came into force on May 25th and basically will affect everyone engaged in the digital world. We already introduced GDPR and its requirements a few months ago, but now we can actually observe how this new set of rules has affected the business. In this blog post, we will take a look at how financial and fintech companies are affected by the GDPR.
What do we mean when talking about GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679, is a new EU regulation, which replaces the Data Protection Directive 95/46/EC. GDPR gives citizens more control over their personal data and theoretically simplifies things for companies by strengthening and unifying data protection within the European Union.
If you are thinking that you are not affected by GDPR because you are living outside the EU, you are terribly wrong. If you offer any goods or services in Europe, you now will have to comply with new regulation despite your location. Let us give you an example – if you have an app or a website you can avoid implementing GDPR only if you are planning to block all users from Europe or decide to not collect any personal information.
What are the main areas of fintech affected by new regulations?
- Customer consent
The tacit consent is no longer ok. The article 4 of the new regulation foresees that personal data, including name, email address, location data, IP address, and all the information related to the economic, cultural, psychological or social identity of that person can only be collected after receiving customer’s consent. Companies should explicitly explain the aim why data is collected and should also ask for an extra authorization if they are willing to share collected data with third parties.
- Right to be forgotten
GDPR entitles any European citizen with the right to demand financial institutions to provide an access or delete their personal data. Banks can keep some data to ensure compliance with other obligations, but if there is no valid justification for that, the individual’s right to be forgotten prevails and his/her data should be deleted.
- Protocol to follow with a security breach
With the new regulations, the companies’ designated data protection officer (DPO) should report any breach of entitled supervisory authority within the first 72 hours. The information sent should contain details about the breach, with contact details of the DPO and info regarding the number of clients involved. Information regarding the breach, possible damages, and respective solutions should be sent, without delay, also to the customers involved. To be noted, that for companies not doing it correctly, penalties and liabilities related to this are absolutely significant (up to €20 million or 4% of their annual turnover).
- Vendors and Suppliers Management
GDPR sets the obligation of end-to-end responsibility for personal data processing, which means that customers should also have an access to data from external fintech vendors and suppliers working with financial institutions. Third parties are also responsible for compliance with same obligations imposed by new regulations. Security of data is also an important issue for cross-border services, when there are for example European banks, serving EU citizens, that work with organizations operating outside the European Union.
Pseudonymisation is defined in the GDPR as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” Encryption and tokenization are also examples of pseudonymization. Basically, it’s incentivized that financial companies pseudonymize customers’ personal data collected into artificial identifiers, reducing the privacy risks involved but maintaining the statistical utility.